*Action Items*
New
[AI] {Robert} will summarize the nature of NAT detection for the strategies document.
[AI] {Kevin} will summarize ARP manipulation for the strategies document.
[AI] {Chris} will apply the red/yellow/green color scheme to the WG’s model to be used as a discussion model for the next call.

Carry Over
[AI] {Chris} will post message to the NetAuth and FWNA lists soliciting volunteers to develop an outline of issues for NetAuth in a federated environment.
[AI] {Eric} will update the Strategies document to include IDS and IPS remediation and NAT device detection.
[AI] {Chris} will post changes to Strategies document to the list.
[AI] {Kevin} will incorporate WG comments into the next draft of the Futures document and submit it to group.
[AI] {Chris} will solicit from the WG contributions about NetAuth vendor solutions currently being used.
[AI] {Mike} will provide a brief summary of ESnet collaborative trust domain commonalities.
[AI] {Individuals} will via the list send proposed topics for the Spring I2 member meeting in response to the call for proposal to the group.
[AI] {Individuals} will send in case studies for potential use in the Strategies document.
[AI] {Group} will review slides posted for EDUCAUSE regional group meeting.
[AI] {Group} will review information to be used as the appendix for the Strategies document.
[AI] {Chris} will find editors to help with the appendix of the Strategies document.
[AI] {Chris and Mark} will develop the NetAuth approach to NAT devices as a discussion topic for submission to the Effective Practices WG.
[AI] {Group} via the list will send suggestions for use cases augmenting the Strategies document.
[AI] {SteveO} will post I2 document standard links to the WG’s website.

*Participants*
Chris Misra, U. Massachusetts (chair)
Mark Poepping, Carnegie Mellon University
Klaas Wierenga, SURFnet
Phil Rodrigues, New York University
Kevin Amorin, Harvard University
Dave Laporte, Harvard University
Dennis Ward, University of Michigan
Robert Brentrup, Dartmouth College
Mike Wiseman, University of Toronto
Kevin Miller, Duke University
Eric Gauthier, Boston University
Rich Cropp, Penn State University
Robert Lowe, Lawrence University
Terrie Clark, Internet2 (scribe)
Renee Frost, Internet2
Steve Olshansky, Internet2

*Discussion*
There are several upcoming meetings of interest to the WG:

The Security Professionals Conference will be held April 4 – 5, 2005 in Washington, DC. For more information please see: http://www.educause.edu/sec05. The Automated Network Policy Enforcement Track session is of particular interest to the WG.

There are NetAuth WG sessions at the Spring Internet2 Member Meeting, May 2 – 4, 2005 in Washington, DC. The NetAuth/FWNA BoF is currently scheduled for 3:00PM Monday, May 2, 2005. There will also be a combined NetAuth/FWNA session at 4:00PM the same day. For more information please see: http://events.internet2.edu/2005/spring-mm/.

Several sections will be added to draft 3 of the Strategies document. The section will include ARP manipulation, IDS/IPS as remediation devices, and NAT detection. A change log will be added in this version. The document will also be modified with a section segmenting end user notification from remediation, because in many environments notification will take place instead of remediation. There will be instances when an entire organization’s system cannot be shut down because of one end user’s non-compliant device.

A future state machine model document is being developed to articulate current and possible future system environments including a federated model. The group discussed including device validation examples with this document. The group also discussed the process of a device negotiating the layers (i.e. steps or states) required to authenticate to a network. Does the flow represented in the document reasonably capture the process of authentication to a NetAuth system?

The group discussed using ‘traffic light’ logic to describe a device’s state in the authentication process. Since the definitions of “active,” “quarantined,” and “denied” are amorphous and are relative to home institutions’ policies, the group decided to use the terms compliant and non-compliant to describe a devices’ authentication state. A quarantined state is, by definition, non-compliant. And, a denied state is, by definition, non-compliant.

A DHCP server might not acknowledge a lease request originating from the MAC address of a non-compliant device that is connected to the network. If a device attempting to attach to the network is in a non-compliant state, the goal is to have device remediation before allowing it to attach. This can be documented in the state model diagram using the color red to reflect a state of no information, yellow to reflect the start of the devices communication with the network and green to reflect a complaint and authenticated device. The group will discuss transitions between these states during the next call.

An outline of the Futures document has been posted to the WG website. This will be further developed and used to analyze a federated authentication model in the future.

The next call is Thursday, March 31, 2005 at 12:00 PM ET. An agenda with the call in number will be sent out to the WG via the list prior to the call.